Contents of this Issue

Navigation

Page 15 of 79

T
here may be no better symbol of
the nation's modern, high-tech
military—not to mention US
military might—as its fleet of predator
drones. So it surely caused a few red
faces at the Pentagon when it was
discovered that insurgents in both
Afghanistan and Iraq had used $26
software to intercept live video feeds
from the unmanned planes.
Oops.
Or consider a story relayed by the
Alliance for Enterprise Security Risk
Management about an interruption to an
organization's computer network. Initially
thought to be a server crash, it turned out
to be the result of RAM being physically
stolen from servers in the data center
by thieves who couldn't be identified
because building surveillance cameras
were malfunctioning. The organization in
question? A police department.
Again, oops.
All industries have had similar oops
moments. Security experienced one in
October 2016 when network-connected
surveillance cameras and DVRs were
implicated as a primary distributor of
the Mirai botnet, which enabled DDoS
attacks on eighteen data centers around
the world and disrupted activities at some
of the Internet's biggest names, including
Amazon, Spotify, and Twitter.
Securing Loss Prevention
Technology
The cyber vulnerability of security
devices is a hot topic at security
conference roundtables and in industry
webinars these days. It's not hard to see
why. There is growing pressure on loss
prevention to enhance store operations
and boost sales. We're in an environment
of high—and growing—expectations. So
a security device that doesn't clear an even
lower bar—by failing to provide payback
as promised—is not likely to go over
well with the senior team. And a security
investment that doesn't actually deliver
security or, worse, a security device that
actually introduces security risk? Well,
that seems like a career killer.
LP executives must ensure that
connected security devices do not provide
hackers a new way to enter the company
network. "You can't allow your security
solution to become a threat vector,"
warned Gavin Bortles, president of
Kepler Networks, a network engineering
services provider. David Tyburski, chief
information security officer for Wynn
Resorts, echoed that view. "We can't be
injecting risk—we are supposed to be
about reducing risk," he said.
As for why it does happen, why at
any given time you can monitor nearly a
million private security cameras online, or
why a recent multimillion-dollar security
install at a massive theme park had IP
addresses written right on the security
cameras, there is blame to go around.
It's wrong to assume just because they
are security systems that manufacturers
have made them secure, according to a
study by the Government Accountability
Office (GAO) on vulnerabilities in
federal facilities. It noted, "Cyber-security
experts that we interviewed generally
said that building and access-control
systems are vulnerable to cyber attacks.
One expert, for example, noted that
control systems were not designed
with cyber security in mind." The US
government has said connected devices
pose "substantial safety and economic
risks" and has called for immediate
action to improve the security of
Internet of Things (IoT) devices—but
has proposed no specific penalties for
manufacturers that fail to comply.
Bill Bozeman, president and CEO
of PSA Network, an organization of
200-plus electronic security systems
integrators, thinks manufacturers of
security products need to do a better
job of ensuring their safety. "They get
a D in my book," he said in a recent
conference address.
The security marketplace is crowded
with vendors hoping to take advantage
of a hot market, and not all of them do
proper due diligence with respect to the
security and safety of their products,
warn experts. Even product testing
can't always offer the same safety
assurance it used to, a representative
from Underwriters Laboratories
told LP Magazine, because today's
software-driven products are dynamic
and update functions and features on
the fly.
Roger Johnston, PhD, founder and
CEO of Right Brain Sekurity, a firm
that conducts vulnerability assessments,
believes that vulnerabilities—in the
very security devices
that are designed
to offer a company
protection—are
more common
than security and
LP practitioners
think. According to
Johnston, engineers
and manufacturers focus on simplifying
user operation and the service of
devices. These very conveniences,
however, often make it simple to tamper
with them.
Vendors aren't the only ones
criticized of cutting corners. Integrators
have also been in the hot seat
for, among other things, calling a
system install complete with default
passwords still in place. Joe McDonald,
chief security officer for Switch, an
information technology and services
firm, said "integrators have to do a
better job" to ask clients about their
password protocol and to not leave a
project until it's secure. The risk from
SECURITY'S SECURITY
Roger Johnston
The security
marketplace is
crowded with
vendors hoping to
take advantage of
a hot market, and
not all of them do
proper due diligence
with respect to the
security and safety
of their products,
warn experts.
16
SEPTEMBER-OCTOBER 2017 | LOSSPREVENTIONMEDIA.COM